EvilFingers: Botnet. Securing the new version of Zeus

A few days ago a new version of Zeus (also known as Zbot, wsnpoem, Ntos or Prg) is around for the big cloud. This new version incorporates several features which emphasizes the possibility of spreading the threat of an exploit vector of infection is most commonly used as e-mail.

But perhaps the most interesting is in making its structure through the incorporation of a new security layer implemented during the authentication process to its panel of administration and control.

The authentication process in previous versions, is composed of three fields: the user name, password and another that provides the language with which it's displayed crimeware, offering two options: English and Russian (the latter, the native tongue of the creator of the package).

The new version not only has the authentication options above but adds a new field that offers greater security against attempts to "cracking the password".

The incorporation of this new change isn't unique. It has also optimized the code Zeus and slightly modified the display of its different modules, the structure being setup as follows:

/install > folder where the installer is housed
/system > folder that hosts the file system
/theme > design to be displayed with the Zeus
cp.php > control panel
gate.php > backdoreo of the bot
index.php > prevents the file list
/system/config.php > configuration file
/system/fsarc.php > script that calls an external file

The appearance of previous versions of the panel installation, as seen in the catch, has five sections: Root login, MySQL server, MySQL tables, Paths and Local Options.

The new version optimized features four sections: Root user (authentication data equivalent to Root login), MySQL server (login information to the database), Local folders (log file on the actions of Zeus) and Options (which incorporates the default encryption option).